Mermaid: Improper sanitization of configuration leads to CSS injection

Description

Mermaid’s default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options.

Live demo: mermaid.live

Recommendation

Update the mermaid package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 10.9.5

  >= 11.0.0-alpha.1, <= 11.14.0**

• Patched version(s): **10.9.6

  11.15.0**

References

• GHSA-87f9-hvmw-gh4p
• CVE-2026-41159
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection - CVE-2026-41148
• Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection - CVE-2026-41149
• Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde - CVE-2026-26974
• dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration - CVE-2026-34725

You might also like:

How do hackers hack websites?

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

mermaid